Hackers Targeting Popular E-Commerce Plugin for WordPress

The popular WooCommerce plugin for WordPress is free and easy to use. Because of this, it’s one of the most popular e-commerce plugins available, with over 5 million installations. You can sell just about anything online, which also makes it easily accessible and targeted by hackers.

Ben Martin and Willem de Groot, researchers with Sanguine network security, found a new attack that specifically targets site owners with WooCommerce installed.

A spike in fraudulent credit card transaction reports from clients with the plugin installed was the first sign that something was wrong. Upon further investigation, they found a number of core WooCommerce Javascript files with malicious code. An in-depth analysis of the code revealed it to be a new credit card skimmer that was cleverly designed to go unnoticed.

“Naturally, WooCommerce and other WordPress-based ecommerce websites have been targeted before, but this has typically been limited to modifications of payment details within the plugin settings. For example, forwarding payments to the attacker’s PayPal email instead of the legitimate website owner. Seeing a dedicated credit card swiping malware within WordPress is something fairly new,” Martin stated of the discovery.

He went on to say, “The JavaScript itself is a little difficult to understand, but one thing that is clear is that the infection saves both the credit card number and the card security code in plain text in the form of cookies. As is typical in PHP malware, several layers of encoding and concatenation are employed in an attempt to avoid detection and hide its core code from the average webmaster.”

If you use WooCommerce to handle online transactions, Martin and his team recommend disabling direct file editing for wp-admin by adding the following network security line to your wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

While this patch won’t offer 100%, bullet-proof protection, it will make your site more secure and harder for the hackers to attack.